A blog about Jedox Performance Management Technology and how to use it.

Introduction to Security in Jedox

Jedox has a robust security model. You can allocate permissions down to cell level if required. All of its security objects are held within cubes and dimensions so it is pretty straightforward to set up and apply security. Its user security is group and role based, which means that users are members of groups and groups have certain characteristics defined for them by their role memberships.

Jedox can be set up for LDAP and Single Sign on, which enables Network Administrators to deploy user security centrally via an Active Directory server.

Moving down from user security, most objects in Jedox can be managed by security as well. This includes elements, dimensions, cubes; as well as reports, folders, web objects (eg Report Manager). For instance, you might have an ETL developer who only requires the ETL Manager. You can easily set up a role which would only give this access.

The only thing that cannot be managed (at the moment) is databases. I am certainly looking forward to this in a future release as this would open up the potential for more powerful multi-tenancy applications.

User Security is managed by System Manager. Here we can add users, roles, groups and manage relationships between them:

Unfortunately, you need to create your own reports out of the system database to manage Cube and Dimensional Security. After doing this half a dozen times, I realised that standardisation was required here, so I set up a couple of templates. Here are the ones we use for our clients:

These templates allow you to easily manipulate and manage security, including doing things like applying like-for-like security to new users, setting dimensional security, and cube permissions.

NOTE: If manipulating/changing these templates, DO NOT use PALO.DATAC formulas when accessing security cubes. You will get instability. You must use PALO.DATA formulas.

Permissions – The Hierarchy of Rights

Without getting too technical at this point, the key part to remember here is that you need to assign to a group certain levels of access to particular objects. By default, a group with no rights assigned or restricted will have access to everything (you can reverse this default if needed from Jedox 5 onwards).

When assigning security to cells, dimensions or cubes you have the following options:

S (splash): Exists only for the rights object “cell data”. It includes writing into consolidated cells and (indirectly) their children down to the lowest level.

D (delete): Permits the deletion of rights objects.

W (write): Permits the writing of rights objects.

R (read): Permits the reading of rights objects.

N (none): No type of access permitted.

A trap for young players here: assigning write access does not give you the right to enter a zero or delete a value. You can only add data. To get full ‘write’ rights, you need to actually assign Deletion (D) rights. The Deletion right also allows you to delete your data, which sometimes comes in handy.